Showing papers in "Journal of Cryptographic Engineering in 2017"
TL;DR: A cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f, which can fully recover the private key after observing 16,000 decryptions.
Abstract: The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.
141 citations
TL;DR: Several Bayes classifiers are investigated, which present simple supervised techniques that have significant similarities with the template attack and aim to investigate what is the influence of the feature (in)dependence in datasets with different amount of noise and to offer further insight into the efficiency of machine learning for side-channel analysis.
Abstract: Side-channel attacks represent one of the most powerful categories of attacks on cryptographic devices with profiled attacks in a prominent place as the most powerful among them. Indeed, for instance, template attack is a well-known real-world attack that is also the most powerful attack from the information theoretical perspective. On the other hand, machine learning techniques have proved their quality in a numerous applications where one is definitely side-channel analysis. As one could expect, most of the research concerning supervised machine learning and side-channel analyses concentrated on more powerful machine learning techniques. Although valid from the practical perspective, such attacks often remain lacking from the more theoretical side. In this paper, we investigate several Bayes classifiers, which present simple supervised techniques that have significant similarities with the template attack. More specifically, our analysis aims to investigate what is the influence of the feature (in)dependence in datasets with different amount of noise and to offer further insight into the efficiency of machine learning for side-channel analysis.
38 citations
TL;DR: This paper demonstrates that EM injection, performed with enhanced injectors, can produce not only timing faults but also bit-set and bit-reset faults on an IC at rest and extends the range of the threats associated with EM fault injection.
Abstract: Electromagnetic (EM) waves have been recently pointed out as a medium for fault injection within integrated circuits (IC). Indeed, it has been experimentally demonstrated that an EM pulse (EMP), produced with a high-voltage pulse generator and an injector similar to that used to perform EM analyses, was susceptible to create faults exploitable from a cryptanalysis viewpoint. An analysis of the induced faults revealed that they originated from timing constraint violations. In this context, this paper demonstrates that EM injection, performed with enhanced injectors, can produce not only timing faults but also bit-set and bit-reset faults on an IC at rest. This first result clearly extends the range of the threats associated with EM fault injection. It then demonstrates, considering two different ICs under operation: an FPGA and a modern microcontroller, that faults produced by EMP injection are not timing faults but correspond to a different model which is presented in this paper. This model allows to explain experimental results introduced in all former communications.
37 citations
TL;DR: In this article, the authors demonstrate the first successful real-world FPGA hardware Trojan insertion into a commercial product, where the targeted USB flash drive is intercepted before being delivered to the victim, and the attacker is able to obtain all user data from the ciphertexts.
Abstract: As part of the revelations about the NSA activities, the notion of interdiction has become known to the public: the interception of deliveries to manipulate hardware in a way that backdoors are introduced. Manipulations can occur on the firmware or at hardware level. With respect to hardware, FPGAs are particular interesting targets as they can be altered by manipulating the corresponding bitstream which configures the device. In this paper, we demonstrate the first successful real-world FPGA hardware Trojan insertion into a commercial product. On the target device, a FIPS-140-2 level 2 certified USB flash drive from Kingston, the user data are encrypted using AES-256 in XTS mode, and the encryption/decryption is processed by an off-the-shelf SRAM-based FPGA. Our investigation required two reverse-engineering steps, related to the proprietary FPGA bitstream and to the firmware of the underlying ARM CPU. In our Trojan insertion scenario, the targeted USB flash drive is intercepted before being delivered to the victim. The physical Trojan insertion requires the manipulation of the SPI flash memory content, which contains the FPGA bitstream as well as the ARM CPU code. The FPGA bitstream manipulation alters the exploited AES-256 algorithm in a way that it turns into a linear function which can be broken with 32 known plaintext–ciphertext pairs. After the manipulated USB flash drive has been used by the victim, the attacker is able to obtain all user data from the ciphertexts. Our work indeed highlights the security risks and especially the practical relevance of bitstream modification attacks that became realistic due to FPGA bitstream manipulations.
28 citations
TL;DR: This work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages that can be exploited in many cryptographic protocols where the modular inversion operation is applied to a secret argument.
Abstract: The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make it possible to retrieve some bits of the algorithm’s secret input without profiling the target device. The identified vulnerabilities can be exploited in many cryptographic protocols where the modular inversion operation is applied to a secret argument. In this work, the ECDSA protocol is used to exemplify how the presented SPA can be used to disclose in about 2 min all standardized private key sizes using less than 800 traces. In the context of ECDSA, a countermeasure previously proposed to mitigate a timing leakage during scalar multiplication is also analyzed, showing that, when it is improperly implemented, it enhances the proposed bit recovery method. Three countermeasures for removing SPA leakages from a BEEA implementation are also analyzed.
26 citations
TL;DR: It is proved that this PUF family is inherently vulnerable to the novel probably approximately correct learning framework, and the theorem that all PUFs must have some challenge bit positions, which have larger influences on the responses than other challenge bits is provided.
Abstract: Although numerous attacks revealed the vulnerability of different PUF families to noninvasive machine learning (ML) attacks, the question is still open whether all PUFs might be learnable. Until now, virtually all ML attacks rely on the assumption that a mathematical model of the PUF functionality is known a priori. However, this is not always the case, and attention should be paid to this important aspect of ML attacks. This paper aims to address this issue by providing a provable framework for ML attacks against a PUF family, whose underlying mathematical model is unknown. We prove that this PUF family is inherently vulnerable to our novel probably approximately correct learning framework. We apply our ML algorithm on the Bistable Ring PUF (BR-PUF) family, which is one of the most interesting and prime examples of a PUF with an unknown mathematical model. We practically evaluate our ML algorithm through extensive experiments on BR-PUFs implemented on field-programmable gate arrays. In line with our theoretical findings, our experimental results strongly confirm the effectiveness and applicability of our attack. This is also interesting since our complex proof heavily relies on the spectral properties of Boolean functions, which are known to hold only asymptotically. Along with this proof, we further provide the theorem that all PUFs must have some challenge bit positions, which have larger influences on the responses than other challenge bits.
23 citations
TL;DR: This work provides a systematic analysis on and search for 8-bit Sbox constructions that can intrinsically feature the threshold implementation (TI) concept, while still providing high resistance against cryptanalysis.
Abstract: Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers with large (i.e., 8-bit) Sboxes. In this work we provide a systematic analysis on and search for 8-bit Sbox constructions that can intrinsically feature the TI concept, while still providing high resistance against cryptanalysis. Our study includes investigations on Sboxes constructed from smaller ones using Feistel, SPN, or MISTY network structures. As a result, we present a set of new Sboxes that not only provide strong cryptographic criteria, but are also optimized for TI. We believe that our results will find an inspiring basis for further research on high-security block ciphers that intrinsically feature protection against physical attacks.
20 citations
TL;DR: The result showed that the proposed hardware/software co-attack to hijack a program flow on microcontrollers can overwrite a return address stored in a stack and call an arbitrary malicious function.
Abstract: In this paper, we present a hardware/software co-attack to hijack a program flow on microcontrollers. The basic idea is to skip a few instructions using multiple fault injection in microcontrollers in cooperation with a software attack. We focus on buffer overflow (BOF) attacks together with such multiple fault injection. The proposed attack can be applied to a program code with a typical software countermeasure against BOF attacks. The attack manipulates the program control flow by skipping specific instructions related to the countermeasure, and thus, the subsequent BOF attack code is successfully executed on the microcontroller. We show the effectiveness of our proposed attack through experiments using an 8-bit AVR ATmega163 microcontroller and a 32-bit ARM Cortex-M0+ microcontroller, where the target software was equipped with a countermeasure limiting the size of user input against BOF attacks. The result showed that our attack can overwrite a return address stored in a stack and call an arbitrary malicious function. We also propose a software countermeasure against our attack and prove its validity by examining all the possible instruction skips.
18 citations
TL;DR: In this paper, the authors combine dimensionality reduction and online stochastic approach to derive closed-form expressions of the resulting optimal distinguisher in terms of matrix operations, in all situations where the model can be either profiled offline or regressed online.
Abstract: Side-channel attacks allow to extract secret keys from embedded systems like smartcards or smartphones. In practice, the side-channel signal is measured as a trace consisting of several samples. Also, several sensitive bits are manipulated in parallel, each leaking differently. Therefore, the informed attacker needs to devise side-channel distinguishers that can handle both multivariate leakages and multiple models. In the state of the art, these two issues have two independent solutions: on the one hand, dimensionality reduction can cope with multivariate leakage; on the other hand, online stochastic approach can cope with multiple models. In this paper, we combine both solutions to derive closed-form expressions of the resulting optimal distinguisher in terms of matrix operations, in all situations where the model can be either profiled offline or regressed online. Optimality here means that the success rate is maximized for a given number of traces. We recover known results for uni- and bivariate models (including correlation power analysis) and investigate novel distinguishers for multiple models with more than two parameters. In addition, following ideas from the AsiaCrypt’2013 paper “Behind the Scene of Side-Channel Attacks,” we provide fast computation algorithms in which the traces are accumulated prior to computing the distinguisher values.
17 citations
TL;DR: This paper introduces two new attack algorithms on RSA with CRT, which improve the attack efficiency considerably, and attacks on blinding factors of length of length R=64 have definitely become practical and for small error rates R=96 may be overcome.
Abstract: Schindler and Itoh (Applied cryptography and network security-ACNS 2011. Lecture Notes in Computer Science, vol 6715. Springer, Berlin, pp 73–90, 2011) and Schindler and Wiemers (J Cryptogr Eng 4:213–236, 2014. doi:
10.1007/s13389-014-0081-y
) treat generic power attacks on RSA implementations (with CRT/without CRT) and on ECC implementations (scalar multiplication with the long-term key), which apply exponent blinding, resp., scalar blinding, as algorithmic countermeasure against side-channel attacks. In Schindler and Itoh
(2011) and Schindler and Wiemers
(2014), it is assumed that an adversary has guessed the blinded exponent bits/the blinded scalar bits independently for all power traces and for all bit positions, and each bit guess is false with probability $$\epsilon _b>0$$
. Three main types of attacks and several variants thereof were introduced and analysed in Schindler and Itoh
(2011) and Schindler and Wiemers
(2014). The attacks on RSA with CRT are the least efficient since the attacker has no information on $$\phi (p)$$
. In this paper, we introduce two new attack algorithms on RSA with CRT, which improve the attack efficiency considerably. In particular, attacks on blinding factors of length $$R=64$$
have definitely become practical, and for small error rates $$\epsilon _b$$
even $$R=96$$
may be overcome.
16 citations
TL;DR: The present work studies how linear systematic error correcting codes can simply be used to detect fault injections during nonlinear operations in a symmetric block cipher for the faults that cause errors with limited Hamming weight.
Abstract: Recently, Bringer et al [10] introduced a new countermeasure based on linear codes This elegant design aims at protecting advanced encryption standard against both side-channel attacks and fault attacks (FA) However, the fault detection during nonlinear operations (for example SubBytes operation) was left as an open question The present work studies how linear systematic error correcting codes can simply be used to detect fault injections during nonlinear operations in a symmetric block cipher In particular, for the faults that cause errors with limited Hamming weight, this method can lead to interesting detection capabilities Considering this way of protecting AES encryption against FA, a concrete implementation is presented For a given fault model, a methodology of formal verification is applied to some parts of this implementation, assessing the fault resistance of one linear operation AddRoundKey and one nonlinear operation SubBytes
TL;DR: An ideal security verification solution naturally handling both hardware and software components is sketched, and an evaluation of formal verification methods that have already been proposed for mixed hardware/software systems are proposed with regards to the ideal method.
Abstract: Critical and privacy-sensitive applications of smart and connected objects such as health-related objects are now common, thus raising the need to design these objects with strong security guarantees. Many recent works offer practical hardware-assisted security solutions that take advantage of a tight cooperation between hardware and software to provide system-level security guarantees. Formally and consistently proving the efficiency of these solutions raises challenges since software and hardware verifications approaches generally rely on different representations. The paper first sketches an ideal security verification solution naturally handling both hardware and software components. Next, it proposes an evaluation of formal verification methods that have already been proposed for mixed hardware/software systems, with regards to the ideal method. At last, the paper presents a conceptual approach to this ideal method relying on ProVerif, and applies this approach to a remote attestation system (SMART).
TL;DR: This work examines several statistical power analysis attack countermeasures in the literature and groups them into three broad categories consisting of secure logic styles, alterations to existing functional modules, and the inclusion of additional modules designed to enhance security.
Abstract: While the cryptographic modules used in modern embedded systems may employ mathematically secure algorithms, an attacker may still be able to compromise the security of a design using side-channel analysis. Side-channel attacks use leaked information in order to make inferences regarding the value of the secret key used for encryption. Statistical power analysis attacks are a class of side-channel attack which target power consumption as a leakage vector and apply statistical analysis to collected traces. As these attacks have been proven to be effective on a variety of hardware implementations, there exists a corresponding body of research regarding countermeasures. This work examines several statistical power analysis attack countermeasures in the literature and groups them into three broad categories consisting of secure logic styles, alterations to existing functional modules, and the inclusion of additional modules designed to enhance security. While a variety of options are available to a designer, there will always be a corresponding trade-off in terms of overhead factors like additional power consumption and area. As such, this work seeks to document and classify several of the approaches presented in the literature in order to help designers better select a countermeasure suited to their needs.
TL;DR: A formal analysis of unknown branch predictors of standard processors bear a strong correlation with 2-bit dynamic predictors and shows that differences of branch misses under the effect of such faults can be exploited to attack implementations of RSA-like asymmetric key algorithms, based on square and multiplication operations.
Abstract: Implementations of asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. However, the effect of faults on such predictors and the consequences thereof on the security of crypto-algorithms have not been studied. Motivated by the fact that unknown branch predictors of standard processors bear a strong correlation with 2-bit dynamic predictors, this paper develops a formal analysis of such a bimodal predictor under the effect of faults. Assuming a popular bit-flip fault model, the analysis shows that differences of branch misses under the effect of such faults can be exploited to attack implementations of RSA-like asymmetric key algorithms, based on square and multiplication operations. Furthermore, these attacks can be also threatening against Montgomery ladder of CRT-RSA (RSA implemented using Chinese Remainder Theorem) and even against fault attack countermeasures which stop or randomize the output in case of a fault. The theoretical claims have been substantiated by detailed fault simulations, where the difference of branch misses has been observed using the “perf” tool in Linux.
TL;DR: The proposed method requires around 16 % less word operations compared to Montgomery-ladder, square-always and square-and-multiply-always exponentiations and shows an improvement by more than 12 % compared approaches which are both regular and constant time.
Abstract: In this paper, we consider efficient RSA modular exponentiations $$x^K \mod N$$
which are regular and constant time We first review the multiplicative splitting of an integer x modulo N into two half-size integers We then take advantage of this splitting to modify the square-and-multiply exponentiation as a regular sequence of squarings always followed by a multiplication by a half-size integer The proposed method requires around 16 % less word operations compared to Montgomery-ladder, square-always and square-and-multiply-always exponentiations These theoretical results are validated by our implementation results which show an improvement by more than 12 % compared approaches which are both regular and constant time
TL;DR: In this paper, the Pearson product-moment correlation coefficient (PMC) was applied to second-order power attacks, reducing the attack cost significantly when adding new traces to an existing dataset, and splitting the potentially huge trace set into smaller manageable chunks to reduce the memory requirements.
Abstract: Since the discovery of simple power attacks, the cryptographic research community has developed significantly more advanced attack methods. The idea behind most algorithms remains to perform a statistical analysis by correlating the power trace obtained when executing a cryptographic primitive to a key-dependent guess. With the advancements of cryptographic countermeasures, it is not uncommon that sophisticated (higher order) power attacks require computation on many millions of power traces to find the desired correlation. In this paper, we study the computational aspects of calculating the most widely used correlation coefficient: the Pearson product-moment correlation coefficient. We study various time–memory trade-off techniques which apply specifically to the cryptologic setting and present methods to extend already completed computations using incremental versions. Moreover, we show how this technique can be applied to second-order attacks, reducing the attack cost significantly when adding new traces to an existing dataset. We also present methods which allow one to split the potentially huge trace set into smaller, more manageable chunks to reduce the memory requirements. Our parallel implementation of these techniques highlights the benefits of this approach as it allows efficient computations on power measurements consisting of hundreds of gigabytes on a single modern workstation.
TL;DR: This article proposes a complementary approach: smart dynamic management of the whole set of countermeasures embedded in the component, based on a double-processor architecture that applies a given security strategy, but without requesting sensitive data from the first processor.
Abstract: Among other threats, secure components are subjected to
physical attacks whose aim is to recover the secret information they
store. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one by
one. But this “countermeasure-centered” approach drastically decreases
the performance of the chip in terms of power, speed and availability.
In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasures
embedded in the component. Three main specifications for such management are required in a real world application (for example, a conditional
access system for Pay-TV): it has to provide capabilities for the chip to
distinguish between attacks and normal use cases (without the help of a
human being and in a robust but versatile way); it also has to be based
on mechanisms which dynamically find a trade-off between security and
performance; all these mecanisms have to formalized in a way which is
clearly understandable by the designer. In this article, a prototype which
enables such security management is described. The solution is based on
a double-processor architecture: one processor embeds a representative
set of countermeasures (and mechanisms to define their parameters) and
executes the application code. The second processor, on the same chip,
applies a given security strategy, but without requesting sensitive data
from the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism,
both the attack paths and the normal use cases. A proof of concept has
been proposed for the smart card part of a conditional access for Pay-TV,
but it could easily be fine-tuned for other applications.
TL;DR: This work analyzes three different software encoding schemes with respect to fault injection attacks and shows that implementations based on table lookup operations provide reasonable security margin and thwart fault propagation.
Abstract: Recently, several software encoding countermeasures were proposed, utilizing the side-channel hiding concept for software implementations. While these schemes aim to protect the underlying code against various leakage models, they can also be utilized against fault injection attacks to some extent. This property comes from the data redundancy that is being employed in order to equalize the leakage. In this work, we analyze three different software encoding schemes with respect to fault injection attacks. We use a custom-made code analyzer to check the vulnerabilities in the assembly code, and we experimentally support our results using laser fault injection technique. Our results show that implementations based on table lookup operations provide reasonable security margin and thwart fault propagation.
TL;DR: This paper proposes an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014 and leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modelling.
Abstract: Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modelling.
TL;DR: It turns out that these classes of cryptographically strong functions are also characterized with a very low hardware implementation cost, making these functions attractive candidates for the use in certain stream cipher schemes.
Abstract: Recently, a class of cryptographic Boolean functions called generalized Maiorana–McFarland (GMM) functions was proposed in Zhang and Pasalic (IEEE Trans Inf Theory 60(10):6681–6695, 2014). In particular, it was demonstrated that certain subclasses within the GMM class satisfy all the relevant cryptographic criteria including a good resistance to (fast) algebraic cryptanalysis. However, the issue of efficient hardware implementation, which is essentially of crucial importance when such a function is used as a filtering function in certain stream cipher encryption schemes, has not been addressed in Zhang and Pasalic (2014). In this article, we analyze the complexity of hardware implementation of these subclasses and provide some exact estimates in terms of the number of elementary circuits needed. It turns out that these classes of cryptographically strong functions are also characterized with a very low hardware implementation cost, making these functions attractive candidates for the use in certain stream cipher schemes.
Journal Article•
TL;DR: In this article, the authors propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014, but this gain admittedly comes at the cost of a couple of heuristic assumptions on the leakage distribution, which leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling.
Abstract: Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements) In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014 This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution To confirm its relevance, we first show that it allows confirming previous results of leakage certification We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling
TL;DR: In this article, the modular extension protection scheme in previously existing and newly contributed variants of the countermeasure on elliptic curve scalar multiplication (ECSM) algorithms is investigated.
Abstract: Fault injection attacks are a real-world threat to cryptosystems, in particular, asymmetric cryptography. In this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future fault attacks. Namely, we study the modular extension protection scheme in previously existing and newly contributed variants of the countermeasure on elliptic curve scalar multiplication (ECSM) algorithms. We find that an existing countermeasure is incorrect and we propose new “test-free” variant of the modular extension scheme that fixes it. We then formally prove the correctness and security of modular extension: specifically, the fault non-detection probability is inversely proportional to the security parameter. Finally, we implement an ECSM protected with test-free modular extension during the elliptic curve operation to evaluate the efficient of this method on Edwards and twisted Edwards curves.
TL;DR: It is shown that some ‘optimal’ estimation procedures following a problem-based approach rather than the systemic use of heuristics following an accuracy- based approach can make MIA more efficient and flexible and a practical guideline for tuning the hyperparameters involved in MIA should be designed.
Abstract: The wide attention given to the mutual information analysis (MIA) is often connected to its statistical genericity, denoted flexibility in this paper. Indeed, MIA is expected to lead to successful key recoveries with no reliance on a priori knowledge about the implementation (impacted by the error modeling made by the attacker. and with as minimum assumptions as possible about the leakage distribution, i.e. able to exploit information lying in any statistical moment and to detect all types of functional dependencies), up to the error modeling which impacts its efficiency (and even its effectiveness). However, emphasis is put on the powerful generality of the concept behind the MIA, as well as on the significance of adequate probability density functions (PDF) estimation which seriously impacts its performance. By contrast to its theoretical advantages, MIA suffers from underperformance in practice limiting its usage. Considering that this underperformance could be explained by suboptimal estimation procedures, we studied in-depth MIA by analyzing the link between the setting of tuning parameters involved in the commonly used nonparametric density estimation, namely kernel density estimation, with respect to three criteria: the statistical moment where the leakage prevails, MIA’s efficiency and its flexibility according to the classical Hamming weight model. The goal of this paper was, therefore, to cast some interesting light on the field of PDF estimation issues in MIA for which much work has been devoted to finding improved estimators having their pros and cons, while little attempt has been made to identify whether existing classical methods can be practically improved or not according to the degree of freedom offered by hyperparameters (when available). We show that some ‘optimal’ estimation procedures following a problem-based approach rather than the systemic use of heuristics following an accuracy-based approach can make MIA more efficient and flexible and a practical guideline for tuning the hyperparameters involved in MIA should be designed. The results of this analysis allowed us defining a guideline based on a detailed comparison of MIA’s results across various simulations and real-world datasets (including publicly available ones such as DPA contest V2 and V4.1).
TL;DR: This paper exploits the client/server architecture of the intra-platform communication to lure a client application to execute within its security context, a hostile code written and called from another security context: the server security context.
Abstract: Retrieving assets inside a secure element is a challenging task The most attractive assets are the cryptographic keys stored into the non volatile memory (NVM) area Most of the researches try to obtain them through side channel attacks or fault attacks Such cryptographic objects are stored into secure containers We demonstrate in this paper how one can use some characteristics of the Java Card platform to gain access to these assets Such a smart card embeds a firewall that provides isolation between applets from different clients (using the notion of security contexts) We exploit the client/server architecture of the intra platform communication to lure a client application to execute within its security context, a hostile code written and called from another security context: the server security context This attack shows the possibility for a trusted application to execute within its security context some hostile code uploaded previously by the server
TL;DR: This paper proposes a new approach: multi-level formal verification, based on models encompassing the capabilities of the attacker, the susceptibility to faults of the hardware platform hosting the implementation, and the constraints imposed by the algorithm used for secret extraction for fault injection attack.
Abstract: Fault injection attack is an extremely powerful technique to extract secrets from an embedded system. Since their introduction, a large number of countermeasures have been proposed. Unfortunately, they suffer from two major drawbacks: a very high cost on system performance and a security frequently questioned. The first point can be explained by their design, based on techniques from reliability domain, which result in solutions protecting against fault models either highly improbable in a context of attack, or that do not permit secret extraction. At the opposite, the second point is due to the use of an incomplete attacker model for the security evaluation at design step. In this paper, we propose a new approach: multi-level formal verification, based on models encompassing the capabilities of the attacker, the susceptibility to faults of the hardware platform hosting the implementation, and the constraints imposed by the algorithm used for secret extraction. We first explain that the success of a fault injection attack depends solely on races between signals, which can be analyzed automatically. Then, we perform a multi-level evaluation on a hardware implementation of AES-128, which shows that the overhead of a countermeasure can be divided by eight while maintaining an almost identical level of security. Finally, we extend the model to electromagnetic injection.
TL;DR: This special issue of the Journal of Cryptographic Engineering (JCEN) contains extended versions of four of the papers that were presented at the 18th Conference on Cryptographic Hardware and Embedded Systems (CHES 2016), held at the University of California at Santa Barbara, CA, USA, August 17–19, 2016.
Abstract: This special issue of the Journal of Cryptographic Engineering (JCEN) contains extended versions of four of the papers that were presented at the 18thConference on Cryptographic Hardware and Embedded Systems (CHES 2016), held at the University of California at Santa Barbara, CA, USA, August 17–19, 2016. The conference was sponsored by the International Association for Cryptologic Research, and—after 2010 and 2013—it was the third time that CHES was colocated with CRYPTO. CHES is considered to be the leading conference in the domain of embedded security, in particular the implementation and deployment aspects of security and cryptography. It aims at bridging theory and practice by bringing together attendees from industry, government agencies, and academia.